All current security detection systems, such as a firewall and an intrusion detection system (IDS) determine, by detecting network data, whether network traffic meets requirements of a security policy. For the firewall and the IDS, there are two methods for traffic detection. One is called a “stateless detection method”. In this method, network characteristics of only a single data packet are detected. It is determined whether network traffic is valid according to network attributes (for example, quintuple information) in the data packet or characteristics (for example, content keywords in an application load of the data packet) obtained from deep packet inspection (DPI). In this method, only a single data packet needs to be detected. The detection method is independent of status of the network traffic or a context of the network traffic.
A typical application of the “stateless detection method” is an access control list (ACL) firewall. This firewall determines whether traffic is valid according to information, for example, “quintuple”, in the single data packet.
In the other method, a security detection system needs to detect multiple data packets and determine, according to information included in a sequence (context) of the data packets, whether network traffic meets requirements of the security policy. This is called a “method for stateful detection of network traffic”. In this method, a security device node needs to identify information that is included in a sequence formed by the multiple data packets, such as abnormal Transmission Control Protocol (TCP) connection status, content keywords of an attack characteristic that are intentionally scattered among the multiple data packets, and multiple specific data packets arriving in a specific order, so as to determine whether a communication data flow is valid. In the “method for stateful detection of network traffic”, stateful detection needs to be performed for the multiple data packets, and a result of the detection is related to a context of network communication.
A specific security application of the “method for stateful detection of network traffic” includes a “stateful inspection firewall” and “network intrusion detection” systems most of which have fragment recombination and session recombination functions. What the firewall and the systems have in common is as follows: invalid traffic cannot be identified by detecting only a single data packet, multiple data packets must be detected, and characteristics included in the sequence formed by the multiple data packets are identified to determine whether a communication activity is valid.
A typical application of the “method for stateful detection of network traffic” is a stateful inspection firewall (SIF) or an IDS.
As security functions that the “stateless detection method” is capable of implementing are too simple, the method for stateful detection of network traffic is the most widely used method in network security.
A detection principle of the “method for stateful detection of network traffic” is as follows:
Rule Rule1 for detecting an attack may be represented by a sequence of a group of network detection events “A,B,C,D”. For example, when a security device node SIF/IDS identifies from the sequence of data packets that events occur in an order of “A,B,C,D”, it can be determined that attack event Attack1 that meets attack characteristics of Rule1 has occurred.
When a virtual machine (VM) acts as a communication entity, the security device node SIF/IDS is generally located on the same host as the virtual machine to detect data flows of the virtual machine. In this case, if a process where the virtual machine migrates occurs, a corresponding security device node SIF/IDS that is responsible for detecting traffic of the virtual machine before the migration cannot detect subsequent network traffic of the virtual machine, and a corresponding security device node SIF/IDS that is capable of detecting traffic of the virtual machine after the migration cannot know network detection events that have occurred before the migration. As a result, both of the two different security device nodes SIF/IDS before and after the migration cannot discover a network attack targeting the virtual machine, thereby deteriorating network system security.